On Thu, 18 Apr 2013, Kent_Landfield@McAfee.com wrote:
: History serves up lessons that if you ignore them, you are asking for
: problems. When we started CVE in 1999 we felt there was no way it was
: possible to get to 10,000 CVEs a year. That was the consensus then of
: all involved. Fast forward a decade and we had run into the problem.
I would not have been among those for sure. Back then, many of us realized
that 10k a year was possible, even if improbable.
: Today we are in a position where we have to correct the
: problem/situation we once thought inconceivable. Do we really want to
: be shortsighted and ignore what we have actively seen occur to us in the
: past? Absurd it is not, conservative, yes.
Your comment is factually incorrect. As of this day, CVE has not hit
10,000 vulnerabilities in a year. We have not "actively seen [this] occur
to us in the past", or present.
CVE is almost 14 years old, and has not hit 10k in a given year. Even with
the creation of CNAs, increased awareness, a push for researchers to
obtain an ID before disclosure, educating vendors to do it, and pressing
Kurt Siefried into a CVE-labor camp, still no 10k.
Yes, there is a chance we will hit 10k, possibly this year. But I also
remind you of the board's decision to actually stop pursuing the goal of
issuing a CVE to all disclosed vulnerabilities. Instead of making an effor
to assign more, CVE has collectively decided to back off that, and only
focus on the 'priority' vendors and sources. This shift in CVE is part of
what I mentioned before in those quotes, that a 1MIL+ CVE-a-year is a
radically different CVE than we have today. It would fundamentally shift
the purpose of the effort, not to mention the way it operates.
: As a vendor that has to deal with this across many different product
: lines, many different research and development databases across
: differing security technologies, we really do not want to find ourselves
: in this situation again. This type of effort, changing a format that is
And this speaks to my point about selfish desires. You are making this
decision based on YOUR company, and YOUR development cycles that will be
used to change the scheme internally. This is not voting in the interest
of the community at all.
: or internal development or research resources has to be verified that it
: will not have an issue with the format change. This is not like having
: one database, this is very extensive and the costs to make this change
: and validate it will be too.
I will be the community advocate on this response:
So what? Your problem, not mine.
: This impacts the community as a whole. This change will cause
: problems in areas we have no idea of today.
This argument is just as valid for voting against 'B' as it is against
'A'.